Campus Firewalls and CCTV

adamgibs7 · ‎01-17-2024

Dears

i have a huge campus for 40 no's of building connected with fiber to distribution switches of each buidling and Distribution switches of each building connecting to the enterprise core switch by OSPF, i m introducing a campus firewall so all the vlans interface will move from Distribution switches to the firewall as an default gateway and from firewall there will be a OSPF peering with enterprise core , i have 3 question that i need expert advise, whether i m on a correct path ?

moving all the vlan ( 500 vlans ) from distribution switch to firewall so that i can control the user traffic between the vlan and allow only specific traffic from users to servers and towards the internet
I have CCTV traffic that is been captured on Network video recorder (NVR) server which is connected on core i need to move this NVR server to the DC along with the other server is it a good practice to keep the NVR server in the DC, if i keep it in DC i need to understand the traffic generated by the camera accordingly the DC firewall needs to be upgraded, please correct me if i m wrong.
what is the best practices to deploy CCTV network it should completely isolated from the users and servers production network ??, it shouldn't have any connectivity at all. ??

Thanks

Rob Ingram · ‎01-17-2024

@adamgibs7 I would probably put the CCTV cameras in a separate VRF and routed via a separate interface on the Firewall. I would leave the default gateway for the VLANs on the switches and just route all egress traffic to DC via the Firewall, therefore not have the Firewall performing intervlan routing. If you want to perform filtering between VLANs, then TrustSec SGTs would be the better solution to use and this can also restrict lateral movement in the same VLAN that the firewall cannot.

adamgibs7 · ‎01-17-2024

Dear Rob

I would probably put the CCTV cameras in a separate VRF and routed via a separate interface on the Firewall.

But in this case still i need to have a bigger hardware of firewall , and what i understand is NVR server Default Gateway will be on campus firewall as an separate interface and all cameras will send the traffic to NVR, access switches will be the same as if currently ( user and camera traffic ) but there will be a separate trunk link from dist SW to campus fw for the camera's creating vlan sub interface on the camera vrf interfaces.

if u look from the security aspect the user traffic must be filtered becz one small piece of code on the user pc and overwhelm the Disti sw ( default gateway) , so that's the reason i want to keep the Default gateway on the firewall, trust sec with cisco ISE will be a tremendous job for IT to manage.

MHM Cisco World · ‎01-17-2024

it hard task
CCTV use multicast and making FW inspect all these multicast is not optimal solution
but we can make control traffic inspect by FW and making data traffic bypass
anyway I will check other point and update you
MHM

Aref Alsouqi · ‎01-18-2024

I agree, TrustSec could have some implications if you have virtual environment that doesn't support SGTs or if you need to propagate the tags into ACI. Based on my experience, the CCTV devices should definitely be isolated from the network, and they should only be allowed to talk to the NVR, and potentially to the vendor public portal(s) to download updates. For the latter, we usually configure the specific IP addresses of the portals alongside the ports and protocols.

In some cases I'd seen the NVRs have multiple interfaces, one in the VLAN where the CCTV reside, and another in the normal data VLAN. In that case when the CCTV devices need to talk to the NVR they don't have to traverse any VLAN as the NVR interface that would be used by them will be in the same VLAN.

I personally would go with your design moving all the inter-VLAN routing to be managed by the firewall, where you can apply security restrictions on the traffic passing through, but even if you don't want to restrict the traffic between the VLANs you can still have visibility of what traffic is passing between the VLANs.

Marvin Rhoads · ‎01-18-2024

Putting all gateways on the firewall is almost always a bad idea that solves problems better left to other methods.That's my advice as a guy who had been doing firewalls for 30 years.

As others have mentioned, VRFs and possibly Trustsec SGTs solve this in a more scalable and elegant way.